Windows Server 2008 Active Directory Configuring - 70-640

1. You have a single Active Directory domain. All domain controllers run Windows Server 2008 and are configured as DNS servers. The domain contains one Active Directory-integrated DNS zone. You need to ensure that outdated DNS records are automatically removed from the DNS zone. What should you do?

From the properties of the zone, modify the TTL of the SOA record.

From the properties of the zone, enable scavenging.

From the command prompt, run ipconfig /flushdns.

From the properties of the zone, disable dynamic updates.

Enabling scavenging from the properties of the zone allows for automatic removal of outdated DNS records. Scavenging is a feature in Active Directory-integrated DNS zones that allows the DNS server to automatically delete stale resource records based on a specified refresh interval and no-refresh interval. This helps to keep the DNS zone clean and up to date by removing records that are no longer valid or needed. Modifying the TTL of the SOA record, running ipconfig /flushdns, or disabling dynamic updates would not address the requirement of automatically removing outdated DNS records.

Explanation

Enabling scavenging from the properties of the zone allows for automatic removal of outdated DNS records. Scavenging is a feature in Active Directory-integrated DNS zones that allows the DNS server to automatically delete stale resource records based on a specified refresh interval and no-refresh interval. This helps to keep the DNS zone clean and up to date by removing records that are no longer valid or needed. Modifying the TTL of the SOA record, running ipconfig /flushdns, or disabling dynamic updates would not address the requirement of automatically removing outdated DNS records.

2. You network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. You need to reset the Directory Services Restore Mode (DSRM) password on a domain controller. What tool should you use?

Active Directory Users and Computers snap-in

Ntdsutil

Local Users and Groups snap-in

Dsmod

You should use the ntdsutil tool to reset the Directory Services Restore Mode (DSRM) password on a domain controller.

Explanation

You should use the ntdsutil tool to reset the Directory Services Restore Mode (DSRM) password on a domain controller.

3. Your company has a single Active Directory domain named intranet.adatum.com. The domain controllers run Windows Server 2008 and the DNS server role. All computers, including non-domain members, dynamically register their DNS records. You need to configure the intranet.adatum.com zone to allow only domain members to dynamically register DNS records. What should you do?

Set dynamic updates to Secure Only.

Remove the Authenticated Users group.

Enable zone transfers to Name Servers.

Deny the Everyone group the Create All Child Objects permission.

Setting dynamic updates to Secure Only is the correct answer because it ensures that only domain members with proper authentication can dynamically register their DNS records. This setting provides an added layer of security by preventing unauthorized devices or users from registering DNS records in the intranet.adatum.com zone.

Explanation

Setting dynamic updates to Secure Only is the correct answer because it ensures that only domain members with proper authentication can dynamically register their DNS records. This setting provides an added layer of security by preventing unauthorized devices or users from registering DNS records in the intranet.adatum.com zone.

4. Your company has an Active Directory domain. The company has two domain controllers named DC1 and DC2. DC1 holds the Schema Master role. DC1 fails. You log on to Active Directory by using the administrator account. You are not able to transfer the Schema Master operations role. You need to ensure that DC2 holds the Schema Master role. What should you do?

Configure DC2 as a bridgehead server.

On DC2, seize the Schema Master role.

Register the Schmmgmt.dll. Start the Active Directory Schema snap-in.

On DC2, seize the Schema Master role. When the current Schema Master (DC1) fails, the Schema Master role needs to be transferred to another domain controller (DC2) to ensure its availability. Seizing the role means forcibly taking control of it from the failed DC1. This can be done using the Active Directory Schema snap-in on DC2.

Explanation

On DC2, seize the Schema Master role. When the current Schema Master (DC1) fails, the Schema Master role needs to be transferred to another domain controller (DC2) to ensure its availability. Seizing the role means forcibly taking control of it from the failed DC1. This can be done using the Active Directory Schema snap-in on DC2.

5. Your company has a main office and a branch office. You deploy a read-only domain controller (RODC) that runs Microsoft Windows Server 2008 to the branch office. You need to ensure that users at the branch office are able to log on to the domain by using the RODC. What should you do?

Add another RODC to the branch office.

Configure a new bridgehead server in the main office.

Decrease the replication interval for all connection objects by using the Active Directory Sites and Services console.

Configure the Password Replication Policy on the RODC.

To ensure that users at the branch office are able to log on to the domain using the RODC, the Password Replication Policy needs to be configured on the RODC. This policy allows the RODC to store a copy of user passwords locally, enabling authentication requests to be processed locally without the need for communication with the main office. By configuring this policy, users at the branch office will be able to log on to the domain using the RODC even if there is limited or no connectivity with the main office.

Explanation

To ensure that users at the branch office are able to log on to the domain using the RODC, the Password Replication Policy needs to be configured on the RODC. This policy allows the RODC to store a copy of user passwords locally, enabling authentication requests to be processed locally without the need for communication with the main office. By configuring this policy, users at the branch office will be able to log on to the domain using the RODC even if there is limited or no connectivity with the main office.

6. Your company has an Active Directory domain. A user attempts to log on to a computer that was turned off for twelve weeks. The administrator receives an error message that authentication has failed. You need to ensure that the user is able to log on to the computer. What should you do?

Run the netsh command with the set and machine options.

Reset the computer account. Disjoin the computer from the domain, and then rejoin the computer to the domain.

Run the netdom TRUST /reset command.

Run the Active Directory Users and Computers console to disable, and then enable the computer account.

When a computer is turned off for an extended period of time, its computer account in Active Directory may become expired or disabled. Resetting the computer account and then disjoining and rejoining the computer to the domain will refresh the computer account and allow the user to log in successfully.

Explanation

When a computer is turned off for an extended period of time, its computer account in Active Directory may become expired or disabled. Resetting the computer account and then disjoining and rejoining the computer to the domain will refresh the computer account and allow the user to log in successfully.

7. An Active Directory database is installed on the C volume of a domain controller. You need to move the Active Directory database to a new volume. What should you do?

Copy the ntds.dit file to the new volume by using the ROBOCOPY command.

Move the ntds.dit file to the new volume by using Windows Explorer.

Move the ntds.dit file to the new volume by running the Move-item command in Microsoft Windows PowerShell.

Move the ntds.dit file to the new volume by using the Files option in the Ntdsutil utility.

not-available-via-ai

Explanation

not-available-via-ai

8. Your company has a server that runs an instance of Active Directory Lightweight Directory Service (AD LDS). You need to create new organizational units in the AD LDS application directory partition. What should you do?

Use the dsmod OU command to create the organizational units.

Use the Active Directory Users and Computers snap-in to create the organizational units on the AD LDS application directory partition.

Use the dsadd OU command to create the organizational units.

Use the ADSI Edit snap-in to create the organizational units on the AD LDS application directory partition.

The correct answer is to use the ADSI Edit snap-in to create the organizational units on the AD LDS application directory partition. ADSI Edit is a Microsoft Management Console (MMC) snap-in that allows administrators to manage Active Directory and AD LDS objects and attributes. It provides a graphical interface for creating and modifying objects in the directory. This is the appropriate tool to use when working with AD LDS application directory partitions. The other options, such as using dsmod OU or Active Directory Users and Computers snap-in, are not specific to AD LDS and may not provide the necessary functionality for managing the application directory partition.

Explanation

The correct answer is to use the ADSI Edit snap-in to create the organizational units on the AD LDS application directory partition. ADSI Edit is a Microsoft Management Console (MMC) snap-in that allows administrators to manage Active Directory and AD LDS objects and attributes. It provides a graphical interface for creating and modifying objects in the directory. This is the appropriate tool to use when working with AD LDS application directory partitions. The other options, such as using dsmod OU or Active Directory Users and Computers snap-in, are not specific to AD LDS and may not provide the necessary functionality for managing the application directory partition.

9. Contoso, Ltd. has an Active Directory domain named ad.contoso.com. Fabrikam, Inc. has an Active Directory domain named intranet.fabrikam.com. Fabrikam's security policy prohibits the transfer of internal DNS zone data outside the Fabrikam network. You need to ensure that the Contoso users are able to resolve names from the intranet.fabrikam.com domain. What should you do?

Create a new stub zone for the intranet.fabrikam.com domain.

Configure conditional forwarding for the intranet.fabrikam.com domain.

Create a standard secondary zone for the intranet.fabrikam.com domain.

Create an Active DirectoryCintegrated zone for the intranet.fabrikam.com domain.

The correct answer is to configure conditional forwarding for the intranet.fabrikam.com domain. This solution allows Contoso users to resolve names from the intranet.fabrikam.com domain without transferring the internal DNS zone data outside the Fabrikam network, which complies with Fabrikam's security policy. Conditional forwarding allows DNS servers to forward queries for specific domains to specific DNS servers, in this case, Contoso's DNS servers can forward queries for intranet.fabrikam.com to Fabrikam's DNS servers. This ensures that Contoso users can resolve names from the intranet.fabrikam.com domain while keeping the zone data within Fabrikam's network.

Explanation

The correct answer is to configure conditional forwarding for the intranet.fabrikam.com domain. This solution allows Contoso users to resolve names from the intranet.fabrikam.com domain without transferring the internal DNS zone data outside the Fabrikam network, which complies with Fabrikam's security policy. Conditional forwarding allows DNS servers to forward queries for specific domains to specific DNS servers, in this case, Contoso's DNS servers can forward queries for intranet.fabrikam.com to Fabrikam's DNS servers. This ensures that Contoso users can resolve names from the intranet.fabrikam.com domain while keeping the zone data within Fabrikam's network.

10. Your company has a main office and three branch offices. The company has an Active Directory forest that has a single domain. Each office has one domain controller. Each office is configured as an Active Directory site. All sites are connected with the DEFAULTIPSITELINK object. You need to decrease the replication latency between the domain controllers. What should you do?

Decrease the replication schedule for the DEFAULTIPSITELINK object.

Decrease the replication interval for the DEFAULTIPSITELINK object.

Decrease the cost between the connection objects.

Decrease the replication interval for all connection objects.

Decreasing the replication interval for the DEFAULTIPSITELINK object will reduce the time between replication cycles, thereby decreasing the replication latency between the domain controllers. This will ensure that changes made in one site are quickly replicated to the other sites, improving overall network performance and reducing the chances of data inconsistencies.

Explanation

Decreasing the replication interval for the DEFAULTIPSITELINK object will reduce the time between replication cycles, thereby decreasing the replication latency between the domain controllers. This will ensure that changes made in one site are quickly replicated to the other sites, improving overall network performance and reducing the chances of data inconsistencies.

11. Your company has an Active Directory domain that runs Windows Server 2008 R2. The Sales OU contains an OU for Computers, an OU for Groups, and an OU for Users. You perform nightly backups. An administrator deletes the Groups OU. You need to restore the Groups OU without affecting users and computers in the Sales OU. What should you do?

Perform an authoritative restore of the Sales OU.

Perform a non-authoritative restore of the Sales OU.

Perform an authoritative restore of the Groups OU.

Perform a non-authoritative restore of the Groups OU.

Performing an authoritative restore of the Groups OU is the correct answer because it will restore the deleted OU and its objects while maintaining their original state and attributes. This means that any changes made to the objects after the backup was taken will be overwritten. Restoring the Sales OU would not bring back the deleted Groups OU. Performing a non-authoritative restore of either the Sales OU or the Groups OU would not restore the deleted Groups OU.

Explanation

Performing an authoritative restore of the Groups OU is the correct answer because it will restore the deleted OU and its objects while maintaining their original state and attributes. This means that any changes made to the objects after the backup was taken will be overwritten. Restoring the Sales OU would not bring back the deleted Groups OU. Performing a non-authoritative restore of either the Sales OU or the Groups OU would not restore the deleted Groups OU.

12. Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. A domain controller named DC1 has a standard primary zone for contoso.com. A domain controller named DC2 has a standard secondary zone for contoso.com. You need to ensure that the replication of the contoso.com zone is encrypted. You must not lose any zone data. What should you do?

Convert the primary zone into an Active Directory-integrated stub zone. Delete the secondary zone.

Convert the primary zone into an Active Directory-integrated zone. Delete the secondary zone.

Configure the zone transfer settings of the standard primary zone. Modify the Master Servers lists on the secondary zone.

On both servers, modify the interface that the DNS server listens on.

Converting the primary zone into an Active Directory-integrated zone and deleting the secondary zone is the correct answer because Active Directory-integrated zones use secure dynamic updates and replication, which ensures that the replication of the contoso.com zone is encrypted. By converting the primary zone, you are ensuring that the zone data is not lost. Deleting the secondary zone is necessary because it is not needed once the primary zone is converted to an Active Directory-integrated zone.

Explanation

Converting the primary zone into an Active Directory-integrated zone and deleting the secondary zone is the correct answer because Active Directory-integrated zones use secure dynamic updates and replication, which ensures that the replication of the contoso.com zone is encrypted. By converting the primary zone, you are ensuring that the zone data is not lost. Deleting the secondary zone is necessary because it is not needed once the primary zone is converted to an Active Directory-integrated zone.

13. You have a domain controller that runs Windows Server 2008 R2 and is configured as a DNS server. You need to record all inbound DNS queries to the server. What should you configure in the DNS Manager console?

Enable debug logging.

Enable automatic testing for simple queries.

Configure event logging to log errors and warnings.

Enable automatic testing for recursive queries.

Enabling debug logging in the DNS Manager console will allow you to record all inbound DNS queries to the server. Debug logging provides detailed information about DNS queries and responses, which can be useful for troubleshooting and analysis purposes. By enabling debug logging, you can capture and analyze the DNS traffic to identify any issues or anomalies in the DNS server's operation. This can help in diagnosing and resolving DNS-related problems effectively.

Explanation

Enabling debug logging in the DNS Manager console will allow you to record all inbound DNS queries to the server. Debug logging provides detailed information about DNS queries and responses, which can be useful for troubleshooting and analysis purposes. By enabling debug logging, you can capture and analyze the DNS traffic to identify any issues or anomalies in the DNS server's operation. This can help in diagnosing and resolving DNS-related problems effectively.

14. You are decommissioning domain controllers that hold all forest-wide operations master roles. You need to transfer all forest-wide operations master roles to another domain controller. Which two roles should you transfer? (Each correct answer presents part of the solution. Choose two.)

Domain naming master

Infrastructure master

RID master

PDC emulator

Schema master

To transfer all forest-wide operations master roles to another domain controller, you should transfer the Domain Naming Master role and the Schema Master role. The Domain Naming Master role is responsible for managing the addition and removal of domains in the forest, while the Schema Master role is responsible for managing changes to the Active Directory schema. By transferring these two roles, you ensure that the new domain controller has the necessary authority to perform these critical functions within the forest.

Explanation

To transfer all forest-wide operations master roles to another domain controller, you should transfer the Domain Naming Master role and the Schema Master role. The Domain Naming Master role is responsible for managing the addition and removal of domains in the forest, while the Schema Master role is responsible for managing changes to the Active Directory schema. By transferring these two roles, you ensure that the new domain controller has the necessary authority to perform these critical functions within the forest.

Submit

15. Your network consists of a single Active Directory domain. The functional level of the forest is Windows Server 2008 R2. You need to create multiple password policies for users in your domain. What should you do?

From the Group Policy Management snap-in, create multiple Group Policy objects.

From the Schema snap-in, create multiple class schema objects.

From the ADSI Edit snap-in, create multiple Password Setting objects.

From the Security Configuration Wizard, create multiple security policies.

To create multiple password policies for users in a single Active Directory domain, you need to use the ADSI Edit snap-in and create multiple Password Setting objects. This is because the functional level of the forest is Windows Server 2008 R2, which does not natively support multiple password policies. The ADSI Edit snap-in allows you to modify the Active Directory schema and create custom password policies by creating Password Setting objects. These objects can then be linked to specific user groups to enforce different password policies for different groups of users.

Explanation

To create multiple password policies for users in a single Active Directory domain, you need to use the ADSI Edit snap-in and create multiple Password Setting objects. This is because the functional level of the forest is Windows Server 2008 R2, which does not natively support multiple password policies. The ADSI Edit snap-in allows you to modify the Active Directory schema and create custom password policies by creating Password Setting objects. These objects can then be linked to specific user groups to enforce different password policies for different groups of users.

16. Your company has file servers located in an organizational unit named Payroll. The file servers contain payroll files located in a folder named Payroll. You create a GPO. You need to track which employees access the Payroll files on the file servers. What should you do?

Enabling the Audit object access option allows tracking of access to objects such as files. Linking the GPO to the Payroll organizational unit ensures that the GPO is applied to the file servers in the Payroll OU. Configuring Auditing for the Everyone group in the Payroll folder on the file servers means that all employees, regardless of their authentication status, will have their access to the Payroll files tracked. This combination of actions allows for effective monitoring of employee access to the Payroll files on the file servers.

Explanation

Enabling the Audit object access option allows tracking of access to objects such as files. Linking the GPO to the Payroll organizational unit ensures that the GPO is applied to the file servers in the Payroll OU. Configuring Auditing for the Everyone group in the Payroll folder on the file servers means that all employees, regardless of their authentication status, will have their access to the Payroll files tracked. This combination of actions allows for effective monitoring of employee access to the Payroll files on the file servers.

17. Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. The Audit account management policy setting and Audit directory services access setting are enabled for the entire domain. You need to ensure that changes made to Active Directory objects can be logged. The logged changes must include the old and new values of any attributes. What should you do?

Run auditpol.exe and then configure the Security settings of the Domain Controllers OU.

From the Default Domain Controllers policy, enable the Audit directory service access setting and enable directory service changes.

Enable the Audit account management policy in the Default Domain Controller Policy.

Run auditpol.exe and then enable the Audit directory service access setting in the Default Domain policy.

To ensure that changes made to Active Directory objects can be logged and include the old and new values of any attributes, you need to configure the Security settings of the Domain Controllers OU using auditpol.exe. This will allow you to enable the necessary audit settings for the domain controllers. Enabling the Audit account management policy in the Default Domain Controller Policy or the Audit directory service access setting in the Default Domain policy alone will not provide the required level of logging.

Explanation

To ensure that changes made to Active Directory objects can be logged and include the old and new values of any attributes, you need to configure the Security settings of the Domain Controllers OU using auditpol.exe. This will allow you to enable the necessary audit settings for the domain controllers. Enabling the Audit account management policy in the Default Domain Controller Policy or the Audit directory service access setting in the Default Domain policy alone will not provide the required level of logging.

18. Your company, Contoso Ltd has a main office and a branch office. The offices are connected by a WAN link. Contoso has an Active Directory forest that contains a single domain named ad.contoso.com. The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office. DC1 is configured as a DNS server for the ad.contoso.com DNS zone. This zone is configured as a standard primary zone. You install a new domain controller named DC2 in the branch office. You install DNS on DC2. You need to ensure that the DNS service can update records and resolve DNS queries in the event that a WAN link fails. What should you do?

Create a new stub zone named ad.contoso.com on DC2.

Create a new standard secondary zone named ad.contoso.com on DC2.

Configure the DNS server on DC2 to forward requests to DC1.

Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.

By converting the ad.contoso.com zone on DC1 to an Active Directory-integrated zone, the DNS zone data will be replicated to DC2 using Active Directory replication. This means that DC2 will have a local copy of the DNS zone data and will be able to update records and resolve DNS queries even if the WAN link fails. This ensures that the DNS service remains available in the branch office even in the event of a WAN link failure.

Explanation

By converting the ad.contoso.com zone on DC1 to an Active Directory-integrated zone, the DNS zone data will be replicated to DC2 using Active Directory replication. This means that DC2 will have a local copy of the DNS zone data and will be able to update records and resolve DNS queries even if the WAN link fails. This ensures that the DNS service remains available in the branch office even in the event of a WAN link failure.

19. Your company has two Active Directory forests named contoso.com and fabrikam.com. Both forests run only domain controllers that run Windows Server 2008. The domain functional level of contoso.com is Windows Server 2008. The domain functional level of fabrikam.com is Windows Server 2003 Native mode. You configure an external trust between contoso.com and fabrikam.com. You need to enable the Kerberos AES encryption option. What should you do?

Raise the forest functional level of fabrikam.com to Windows Server 2008.

Raise the domain functional level of fabrikam.com to Windows Server 2008.

Raise the forest functional level of contoso.com to Windows Server 2008.

Create a new forest trust and enable forest-wide authentication.

Raising the domain functional level of fabrikam.com to Windows Server 2008 will enable the Kerberos AES encryption option. The domain functional level determines the available features and capabilities within a domain, and by raising it to Windows Server 2008, the domain will support the AES encryption algorithm for Kerberos authentication. This will allow contoso.com and fabrikam.com to use AES encryption for secure communication between the two forests.

Explanation

Raising the domain functional level of fabrikam.com to Windows Server 2008 will enable the Kerberos AES encryption option. The domain functional level determines the available features and capabilities within a domain, and by raising it to Windows Server 2008, the domain will support the AES encryption algorithm for Kerberos authentication. This will allow contoso.com and fabrikam.com to use AES encryption for secure communication between the two forests.

20. Your company has an Active Directory forest that contains a single domain. The domain member server has an Active Directory Federation Services (AD FS) role installed. You need to configure AD FS to ensure that AD FS tokens contain information from the Active Directory domain. What should you do?

Add and configure a new account partner.

Add and configure a new resource partner.

Add and configure a new account store.

Add and configure a Claims-aware application.

To ensure that AD FS tokens contain information from the Active Directory domain, you need to add and configure a new account store. An account store is used to store user accounts and their attributes, and by adding and configuring a new account store, you can specify the Active Directory domain as the source for user information. This will allow AD FS tokens to contain the necessary information from the Active Directory domain.

Explanation

To ensure that AD FS tokens contain information from the Active Directory domain, you need to add and configure a new account store. An account store is used to store user accounts and their attributes, and by adding and configuring a new account store, you can specify the Active Directory domain as the source for user information. This will allow AD FS tokens to contain the necessary information from the Active Directory domain.

21. Your company uses a Windows 2008 Enterprise certificate authority (CA) to issue certificates. You need to implement key archival. What should you do?

Configure the certificate for automatic enrollment for the computers that store encrypted files.

Install an Enterprise Subordinate CA and issue a user certificate to users of the encrypted files.

Apply the Hisecdc security template to the domain controllers.

Archive the private key on the server.

Archiving the private key on the server is the correct answer because key archival allows for the recovery of encrypted data in case the original key is lost or compromised. By archiving the private key on the server, the encrypted files can be accessed and decrypted if needed. This ensures the security and availability of the encrypted data. The other options mentioned in the question do not specifically address key archival and are therefore not the correct choices.

Explanation

Archiving the private key on the server is the correct answer because key archival allows for the recovery of encrypted data in case the original key is lost or compromised. By archiving the private key on the server, the encrypted files can be accessed and decrypted if needed. This ensures the security and availability of the encrypted data. The other options mentioned in the question do not specifically address key archival and are therefore not the correct choices.

22. You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2. Server1 is configured as an enterprise root certification authority (CA). You install the Online Responder role service on Server2. You need to configure Server1 to support the Online Responder. What should you do?

Import the enterprise root CA certificate.

Configure the Certificate Revocation List Distribution Point extension.

Configure the Authority Information Access (AIA) extension.

Add the Server2 computer account to the CertPublishers group.

To configure Server1 to support the Online Responder, you need to configure the Authority Information Access (AIA) extension. The AIA extension provides information about where to locate the certificate revocation list (CRL) and the Online Certificate Status Protocol (OCSP) responder. This allows clients to check the revocation status of certificates issued by the CA. Importing the enterprise root CA certificate is not necessary for configuring the Online Responder. Configuring the Certificate Revocation List Distribution Point extension is also not required as it is related to the distribution of CRLs, not the configuration of the Online Responder. Adding the Server2 computer account to the CertPublishers group is unrelated to configuring the Online Responder.

Explanation

To configure Server1 to support the Online Responder, you need to configure the Authority Information Access (AIA) extension. The AIA extension provides information about where to locate the certificate revocation list (CRL) and the Online Certificate Status Protocol (OCSP) responder. This allows clients to check the revocation status of certificates issued by the CA. Importing the enterprise root CA certificate is not necessary for configuring the Online Responder. Configuring the Certificate Revocation List Distribution Point extension is also not required as it is related to the distribution of CRLs, not the configuration of the Online Responder. Adding the Server2 computer account to the CertPublishers group is unrelated to configuring the Online Responder.

23. Your company has an organizational unit named Production. The Production organizational unit has a child organizational unit named R&D. You create a GPO named Software Deployment and link it to the Production organizational unit. You create a shadow group for the R&D organizational unit. You need to deploy an application to users in the Production organizational unit. You also need to ensure that the application is not deployed to users in the R&D organizational unit. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)

Configure the Block Inheritance setting on the R&D organizational unit.

Configure the Enforce setting on the software deployment GPO.

Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the R&D security group.

Configure the Block Inheritance setting on the Production organizational unit.

To achieve the goal of deploying the application to users in the Production organizational unit while excluding users in the R&D organizational unit, two possible ways are:

1. Configure the Block Inheritance setting on the R&D organizational unit: By blocking inheritance on the R&D organizational unit, the GPO applied to the parent unit (Production) will not be inherited by the child unit (R&D), ensuring that the application deployment does not affect the R&D users.

2. Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the R&D security group: By configuring security filtering, specifically denying the R&D security group from applying the group policy, the application deployment will be restricted only to users outside the R&D organizational unit.

Explanation

To achieve the goal of deploying the application to users in the Production organizational unit while excluding users in the R&D organizational unit, two possible ways are:

1. Configure the Block Inheritance setting on the R&D organizational unit: By blocking inheritance on the R&D organizational unit, the GPO applied to the parent unit (Production) will not be inherited by the child unit (R&D), ensuring that the application deployment does not affect the R&D users.

2. Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the R&D security group: By configuring security filtering, specifically denying the R&D security group from applying the group policy, the application deployment will be restricted only to users outside the R&D organizational unit.

Submit

24. Your company has an Active Directory forest that runs at the functional level of Windows Server 2008. You implement Active Directory Rights Management Services (AD RMS). You install Microsoft SQL Server 2005. When you attempt to open the AD RMS administration Web site, you receive the following error message: "SQL Server does not exist or access denied." You need to open the AD RMS administration Web site. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

Restart IIS.

Manually delete the Service Connection Point in AD DS and restart AD RMS.

Install Message Queuing.

Start the MSSQLSVC service.

The error message "SQL Server does not exist or access denied" suggests that there is an issue with the SQL Server. Restarting IIS can help resolve any temporary issues with the web server. Starting the MSSQLSVC service is necessary to ensure that the SQL Server is running and accessible. Manually deleting the Service Connection Point in AD DS and installing Message Queuing are not relevant to resolving the SQL Server error.

Explanation

The error message "SQL Server does not exist or access denied" suggests that there is an issue with the SQL Server. Restarting IIS can help resolve any temporary issues with the web server. Starting the MSSQLSVC service is necessary to ensure that the SQL Server is running and accessible. Manually deleting the Service Connection Point in AD DS and installing Message Queuing are not relevant to resolving the SQL Server error.

Submit

25. Your company has a branch office that is configured as a separate Active Directory site and has an Active Directory domain controller. The Active Directory site requires a local Global Catalog server to support a new application. You need to configure the domain controller as a Global Catalog server. Which tool should you use?

The Server Manager console

The Active Directory Sites and Services console

The Dcpromo.exe utility

The Computer Management console

The Active Directory Domains and Trusts console

The Active Directory Sites and Services console should be used to configure the domain controller as a Global Catalog server. This console allows administrators to manage the replication topology of Active Directory and control the placement of Global Catalog servers within different sites. By using this tool, the domain controller can be designated as a Global Catalog server for the specific branch office site, enabling it to support the new application.

Explanation

The Active Directory Sites and Services console should be used to configure the domain controller as a Global Catalog server. This console allows administrators to manage the replication topology of Active Directory and control the placement of Global Catalog servers within different sites. By using this tool, the domain controller can be designated as a Global Catalog server for the specific branch office site, enabling it to support the new application.

26. Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company uses an Enterprise Root certificate authority (CA). You need to ensure that revoked certificate information is highly available. What should you do?

Implement an Online Certificate Status Protocol (OCSP) responder by using an Internet Security and Acceleration Server array.

Publish the trusted certificate authorities list to the domain by using a Group Policy Object (GPO).

Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing.

Create a new Group Policy Object (GPO) that allows users to trust peer certificates. Link the GPO to the domain.

Implementing an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing ensures that revoked certificate information is highly available. Network Load Balancing allows for load balancing and fault tolerance across multiple servers, ensuring that the OCSP responder is always accessible and responsive. This helps to maintain the security and integrity of the certificate infrastructure within the Active Directory domain.

Explanation

Implementing an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing ensures that revoked certificate information is highly available. Network Load Balancing allows for load balancing and fault tolerance across multiple servers, ensuring that the OCSP responder is always accessible and responsive. This helps to maintain the security and integrity of the certificate infrastructure within the Active Directory domain.

27. Your company has a main office and a branch office. The company has a single-domain Active Directory forest. The main office has two domain controllers named DC1 and DC2 that run Windows Server 2008 R2. The branch office has a Windows Server 2008 R2 read-only domain controller (RODC) named DC3. All domain controllers hold the DNS Server role and are configured as Active Directory-integrated zones. The DNS zones only allow secure updates. You need to enable dynamic DNS updates on DC3. What should you do?

Run the Dnscmd.exe /ZoneResetType command on DC3.

Reinstall Active Directory Domain Services on DC3 as a writable domain controller.

Create a custom application directory partition on DC1. Configure the partition to store Active Directory-integrated zones.

Run the Ntdsutil.exe > DS Behavior commands on DC3.

not-available-via-ai

Explanation

not-available-via-ai

28. Your network consists of an Active Directory forest that contains one domain named contoso.com. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. You have two Active Directory-integrated zones: contoso.com and nwtraders.com. You need to ensure a user is able to modify records in the contoso.com zone. You must prevent the user from modifying the SOA record in the nwtraders.com zone. What should you do?

From the Active Directory Users and Computers console, run the Delegation of Control Wizard.

From the Active Directory Users and Computers console, modify the permissions of the Domain Controllers organizational unit (OU).

From the DNS Manager console, modify the permissions of the contoso.com zone.

From the DNS Manager console, modify the permissions of the nwtraders.com zone.

To ensure that a user can modify records in the contoso.com zone but cannot modify the SOA record in the nwtraders.com zone, you should modify the permissions of the contoso.com zone in the DNS Manager console. By adjusting the permissions specifically for the contoso.com zone, you can grant the user the necessary access to make modifications within that zone while restricting their ability to modify the SOA record in the nwtraders.com zone.

Explanation

To ensure that a user can modify records in the contoso.com zone but cannot modify the SOA record in the nwtraders.com zone, you should modify the permissions of the contoso.com zone in the DNS Manager console. By adjusting the permissions specifically for the contoso.com zone, you can grant the user the necessary access to make modifications within that zone while restricting their ability to modify the SOA record in the nwtraders.com zone.

29. Your company has an Active Directory domain named ad.contoso.com. The domain has two domain controllers named DC1 and DC2. Both domain controllers have the DNS server role installed. You install a new DNS server named DNS1.contoso.com on the perimeter network. You configure DC1 to forward all unresolved name requests to DNS1.contoso.com. You discover that the DNS forwarding option is unavailable on DC2. You need to configure DNS forwarding on the DC2 server to point to the DNS1.contoso.com server. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

Clear the DNS cache on DC2.

Configure conditional forwarding on DC2.

Configure the Listen On address on DC2.

Delete the Root zone on DC2.

The correct answer is to configure conditional forwarding on DC2 and delete the Root zone on DC2.

Configuring conditional forwarding on DC2 allows it to forward unresolved name requests to the DNS1.contoso.com server. This ensures that DC2 can resolve names that it cannot resolve itself.

Deleting the Root zone on DC2 is necessary because having a Root zone can prevent the DNS forwarding option from being available. By deleting the Root zone, the DNS forwarding option becomes available and can be configured to point to the DNS1.contoso.com server.

Explanation

The correct answer is to configure conditional forwarding on DC2 and delete the Root zone on DC2.

Configuring conditional forwarding on DC2 allows it to forward unresolved name requests to the DNS1.contoso.com server. This ensures that DC2 can resolve names that it cannot resolve itself.

Deleting the Root zone on DC2 is necessary because having a Root zone can prevent the DNS forwarding option from being available. By deleting the Root zone, the DNS forwarding option becomes available and can be configured to point to the DNS1.contoso.com server.

Submit

30. All consultants belong to a global group named TempWorkers. You place three file servers in a new organizational unit named SecureServers. The three file servers contain confidential data located in shared folders. You need to record any failed attempts made by the consultants to access the confidential data. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

Create and link a new GPO to the SecureServers organizational unit. Configure the Audit privilege use Failure audit policy setting.

Create and link a new GPO to the SecureServers organizational unit. Configure the Audit object access Failure audit policy setting.

To record any failed attempts made by the consultants to access the confidential data, two actions should be performed. Firstly, a new GPO should be created and linked to the SecureServers organizational unit. The Audit object access Failure audit policy setting should be configured in this GPO. This will enable the auditing of failed attempts to access the confidential data. Secondly, on each shared folder on the three file servers, the TempWorkers global group should be added to the Auditing tab. The Failed Full control setting should be configured in the Auditing Entry dialog box. This will allow the auditing of failed attempts made by the consultants to access the shared folders.

Explanation

To record any failed attempts made by the consultants to access the confidential data, two actions should be performed. Firstly, a new GPO should be created and linked to the SecureServers organizational unit. The Audit object access Failure audit policy setting should be configured in this GPO. This will enable the auditing of failed attempts to access the confidential data. Secondly, on each shared folder on the three file servers, the TempWorkers global group should be added to the Auditing tab. The Failed Full control setting should be configured in the Auditing Entry dialog box. This will allow the auditing of failed attempts made by the consultants to access the shared folders.

Submit